Executive Summary

This vulnerability in Open5GS up to version 2.7.7 causes the Access and Mobility Management Function (AMF) to crash when processing a specific HTTP POST request to the endpoint /namf-callback/v1/{id}/sdmsubscription-notify.

The crash happens because the AMF's parser accepts a malformed request where the changeItem in the ModificationNotification is missing the newValue field. Later, the function amf_namf_callback_handle_sdm_data_change_notify attempts to dereference this missing newValue, leading to a segmentation fault and causing the AMF process to terminate unexpectedly.

This flaw can be exploited remotely with a single HTTP request, resulting in a denial of service by crashing the AMF component.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can cause a denial of service by crashing the AMF process in Open5GS, which is a critical component in 5G core networks.

An attacker can remotely trigger this crash with a specially crafted HTTP POST request, causing the AMF to terminate abnormally and potentially disrupting network services that rely on it.

This disruption can lead to service unavailability or degraded performance in mobile network operations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for abnormal crashes or termination of the AMF process in Open5GS when it receives HTTP POST requests to the endpoint /namf-callback/v1/{id}/sdmsubscription-notify.

Specifically, detection involves checking for segmentation faults or denial of service triggered by malformed ModificationNotification messages where the changeItem.newValue field is missing.

You can use network monitoring tools or HTTP request logging to identify suspicious POST requests to the vulnerable endpoint.

• Use tcpdump or Wireshark to capture HTTP POST traffic to /namf-callback/v1/*/sdmsubscription-notify.
• Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 or 443' | grep '/namf-callback/v1/'
• Check Open5GS AMF logs for crashes or segmentation faults related to the callback endpoint.
• Use system commands like 'journalctl -u open5gs-amf' or 'ps' to monitor AMF process status.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include monitoring and restricting access to the vulnerable AMF SBI Endpoint /namf-callback/v1/{id}/sdmsubscription-notify to prevent malicious HTTP POST requests.

Implement network-level filtering or firewall rules to block unauthorized or suspicious requests targeting this endpoint.

If possible, apply input validation or patch updates from Open5GS once available to ensure the AMF properly rejects malformed requests instead of crashing.

In the meantime, monitor the AMF process for crashes and restart it promptly if it terminates unexpectedly.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0